Adfly code injected

Status
Not open for further replies.

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
Just to expand on what @ChatIndia said, we have also implemented a feature in our cPanel that allows you to globally toggle error reporting, if you don't want to change your files. You can do this by choosing "Select PHP Version" on cPanel x3's homepage, then "Switch to PHP Settings". From there, you can change the display_errors value from Off to On
after I did that - I found these 11 new lines ( the last two are blank ) added to the top of my [ .htaccess ] file...
Code:
<script type="text/javascript"> 
    var adfly_id = 7814644; 
    var adfly_advert = 'int'; 
    var frequency_cap = 5; 
    var frequency_delay = 5; 
    var init_delay = 3; 
    var popunder = false; 
</script> 
<script src="https://cdn.adf.ly/js/entry.js"></script>
AND the bottom 13 lines + part of the 14th deleted
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
after I did that - I found these 11 new lines ( the last two are blank ) added to the top of my [ .htaccess ] file...
Code:
<script type="text/javascript">
    var adfly_id = 7814644;
    var adfly_advert = 'int';
    var frequency_cap = 5;
    var frequency_delay = 5;
    var init_delay = 3;
    var popunder = false;
</script>
<script src="https://cdn.adf.ly/js/entry.js"></script>
AND the bottom 13 lines + part of the 14th deleted
Won't that cause an error due to invalid code in the .htaccess file? And why is the adf.ly CDN JavaScript even there? o-o
 

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
Won't that cause an error due to invalid code in the .htaccess file? And why is the adf.ly CDN JavaScript even there? o-o
someone can tell me - why those lines did not throw a error AND why those lines were added to the top AND why some bottom lines were deleted ??
 

Dead-i

x10Hosting Support Ninja
Community Support
Messages
6,084
Reaction score
368
Points
83
Hi bdistler,

I can't seem to replicate this on our servers. Does this still happen when changing the display_errors variable? This should not alter any of your files, and only changes your account's local PHP configuration.

Topic split. :)

Thank you,
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
I remember trying to shorten a link using bit.ly but when people visit it, they end up on some advertisement site apart from me. Same effect on a shortener that isn't bit.ly.
This was all on mobile.

Maybe something was injected into the browser which caused this?
 

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
I can't seem to replicate this on our servers. Does this still happen when changing the display_errors variable?...
after more testing - I found the changes are made to any file I download from the server - but no changes to those I upload - I do not think it has anything to do with setting error reporting to 'on' in cPanel x3

my other computer that has FileZilla is down - when I get it back up I will do more testing
 

Dead-i

x10Hosting Support Ninja
Community Support
Messages
6,084
Reaction score
368
Points
83
Hi bdistler,

I've been looking into this on xo3, and I can't seem to replicate it from my test account. Downloading files using FTP do not seem to produce this code, and I can't see that code matching any of your files. Please do try from another computer and let me know how it goes. :)

Thank you,
 

ace_case

Member
Messages
217
Reaction score
11
Points
18
This seems kinda like a virus. Do links in pages you download get changed or does this make all links on the page adfly links? It could be a virus that injects someone elses adfly code into your website. Website Hijacking instead of Browser Hijacking maybe?
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
It would make sense if this injects itself into pages, that could potentially cause this.
We don't know how this new option works.
It could be using predefined input to do the job but the code got injected to that area required.

If not that then I'm wondering how it got in.
 

ace_case

Member
Messages
217
Reaction score
11
Points
18
It would make sense if this injects itself into pages, that could potentially cause this.
We don't know how this new option works.
It could be using predefined input to do the job but the code got injected to that area required.

If not that then I'm wondering how it got in.

It is possible for it to be an outdated plugin of some sort allowing an attacker to write to files, or a trojan horse plugin that writes it to the files, though honestly I think it'd be easier if it changed it after the page loads via JS or something. It'd make it more undetectable.
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
I would check for any suspicious browser extensions and software that was installed (regardless if authorised).
It is possible for it to be an outdated plugin of some sort allowing an attacker to write to files, or a trojan horse plugin that writes it to the files, though honestly I think it'd be easier if it changed it after the page loads via JS or something. It'd make it more undetectable.
The browser does download the resulting webpage, so code injection caused by software / add-ons is possible..
 

ace_case

Member
Messages
217
Reaction score
11
Points
18
I would check for any suspicious browser extensions and software that was installed (regardless if authorised).

The browser does download the resulting webpage, so code injection caused by software / add-ons is possible..
From what I've gathered, those lines are actually in the file, not injected onto the page after it's loaded. It's pretty unlikely it's a browser extension. A virus could do this, but it's probably a plugin. Or just weirdness. Weirdness is always an option.
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
From what I've gathered, those lines are actually in the file, not injected onto the page after it's loaded. It's pretty unlikely it's a browser extension. A virus could do this, but it's probably a plugin. Or just weirdness. Weirdness is always an option.
What I mean't is that the code could be injected into a submission element (such as a hidden text box) and after submission, that code could've been placed into that file as a result.
 

ace_case

Member
Messages
217
Reaction score
11
Points
18
What I mean't is that the code could be injected into a submission element (such as a hidden text box) and after submission, that code could've been placed into that file as a result.
I think he is using ftp for his files. Even then, the submission verification should ignore any extra data unless coded to allow it.
 
Status
Not open for further replies.
Top